002459 British Library Setup and management support for software development pipeline tools

Description

Pre-market engagement The British Library have developed an overview of the approach with a security partner, with a wider consideration for how this impacts things like the desktop build for our developers, and reached out to existing Suppliers to run through the approach to confirm skills are available in the market place but have not yet consulted with anyone on the configuration or management of the proposed tooling Work done so far A diagram detailing the development pipeline is available on request. This will be supported by a defined developer tool set, with GitHub, GitHub Advanced Security and Azure DevOps. The Library have written policy covering most areas of software development, but are yet to detail the processes that underpin them. A full review of the desktop needs of software developers has been completed, and an agreed build settled upon. We have also built a new hybrid directory environment, along with a ground up rebuild of our RBAC structures, along with implementing an HPE Greenlake platform for on-premise hosting, and an Azure Landing Zone for cloud, the solution will need the capability to deploy to either or both environments This all sits on a brand new architected infrastructure with a comprehensive security layer. Which phase the project is in Alpha Existing team The Library have a team of approximately 30 software developers, or people in closely related roles. Some of these are teams that are close to a DevOps role, and some sit outside of the IT function in specialists units. We will look to integrate their working environments. There is a small test team that sits within software development too. Alongside this are Business Analysts, Technical Architects, Infrastructure Engineering, a PMO and Governance teams, and a full Operations function Address where the work will be done Largely remotely via Teams, but with occasional visits to the British Libraries St Pancras 96, Euston Road, london, NW1 2DB and Boston Spa, West Yorks, LS23 7BQ Sites Working arrangements The Library would like an initial mini project type approach for setting up the tooling and pipeline , working closely with the line management team in software development. Beyond this, we’d like to create the sense of someone as ‘part of the team’, attending team meetings, workshops and other gatherings as required. These will largely be virtual in nature, as we operate a hybrid environment, with an expectation of onsite presence on an ‘as required’ basis. Provide more information about your security requirements: Security Check (SC) Provide more information about your security requirements (optional): All people working on this project will be required to complete a CRB check before access can be granted to our systems or environment. All access to systems will be via an authenticated BL domain account, via a Password Access Management tool where possible. Latest start date 2024-10-01 Enter the expected contract length: 6 months Special terms and conditions Not Applicable Are you prepared to show your budget details?: Yes Indicative maximum: 80000 Indicative minimum: 40000 Confirm if you require a contracted out service or supply of resource Contracted out service: the off-payroll rules do not apply Summary of work The British Library are rebuilding our development environment with a new standardised approach, and a common tool set and processes across all our development teams. We will be using GitHub Enterprise, GitHub Advanced Security and Microsoft Azure DevOps, with our development teams using Visual Studio Enterprise. We need assistance to develop an initial configuration that is suited to our needs, and then ongoing support in daily administration and evolution of the tool for a 6 month period. Where the supplied staff will work Yorkshire and the Humber Where the supplied staff will work London Where the supplied staff will work No specific location (for example they can work remotely) Who the organisation using the products or services is The British Library Why the work is being done In October of last year, the British Library experienced a major cyber incident, with a ransomware attack, followed by malicious deletion of data. We have been, since then, building a new environment from the ground up, based on rigorous security guidance from experts, including NCSC. We are now at the stage of starting to rebuild some of our core line of business applications, or refactor existing ones to our new environment. This requires a substantial development effort across our teams, and may well in future, also require 3rd party support. As part of this, we have created a standardised approach to our development pipeline, in line with industry best practice planning on using tools that are well adopted in the marketplace, including GitHub and Azure DevOps. We however, do not have expertise in these tools, neither in optimal configuration, nor in their cooperation with one another, along with how we best fit with other services like EntraID. We therefore need help in defining the best initial configuration and implementing it, and then ongoing support for an initial 6 months. We anticipate the sort of tasks that will be included to be: • GitHub Setup o Entra ID link  For internal Staff  Alternate service for External – to be determined/ identified o GitHub Roles configuration o GitHub Advanced Security – Org policy setup (enable vulnerability scanning by default on repo's) o On-going support for the above • Azure DevOps Setup o Roles configuration o Setup/support ability to deploy on prem (Self-Hosted Agent in Greenlake) - Setup/Define/support how we deploy to Azure • Pipeline Builds o Technical Support for team to be able to create initial pipelines which then will lead on to a repeatable process for the team on future projects. o And / or create and support pipelines on teams behalf o The initial focus will be the build and deployment of the software components rather than the design and build of the infrastructure or infrastructure as code, though the BL has aspirations to move in this direction and so would like to understand the skills available The business problem you need to solve The British Library need a managed and secure path for software development through to deployment. The Library have started developing documented policy and processes for things like release management, peer code reviews, and access control, but need assistance to help us create a modern development pipeline that will be fit for purpose, allow the BL to deliver at speed and be understood by future 3rd parties. So not only do we need help and guidance on how best to do that, we need support in documenting the best practice processes that will embed this as a way of working for the future First user type: Development and test teams Enter more details about this user type: The primary audience will be the development and test teams with varying skill levels , but there will be an active interest from other teams including business analysis, security and business continuity teams . They will be making requests to you, taking advice from you, and providing input and guidance on what works and what doesn’t Questions and Clarifications 0. Q1 Please can we see: “diagram detailing the development pipeline” Q2 “written policy covering most areas of software development” Q3. Full review of the desktop needs of software developers” Q3a How many teams do you have currently? Q4. Are the teams separated by discipline or cross-functional? Q5. Does the 6 months of support assume provision for training of staff in principles and practices such as DORA, CI/CD, test automation etc? Q6.How is infrastructure currently built and maintained? Q7. Are there any Infrastructure as Code skills internally at present? Q8.Is the “brand new architected infrastructure” built with infrastructure as code? Do you have anything you can share about this generally? Q9.Are there any security or other requirements that would prevent you from using Azure DevOps agents to deploy to your on-premises infrastructure? Q10. Will we have direct access to some of the other teams mentioned in the brief - e.g. Security, business analysis - to be able to answer questions / unblock if required? Q11. Do you intend to use Github only for version control and Azure DevOps for build / release pipelines / documentation etc? thanks A1 Please provide an email address and I will share A2 Please provide an email address and I will share A3 .The review did not result in a formal document, but a list of current tools that is currently used by the development teams, that will need to be rationalised. This will be shared with the winning supplier as part of the engagement. A3a 3 development teams in technology, Web Archiving, Web Development, Application Development with AppDev being split further into AppDevNorth, AppDevSouth, and AppDevTest. We do however have other teams throughout the business that also undertake 'software development' activities. A4 Its a mixture - the Teams are line managed by discipline development, test, etc. - but work in cross-functional teams when carrying out projects/work i.e. teams made up of developers, testers and business colleagues working collaboratively . A5. Where formal training is identified or recommended by the supplier as part of the engagement working, a separate training budget is available, though Knowledge Transfer is expected as part of the solution A6. We have a project team, included existing suppliers architecting and delivering the new environment A7. Minimal, we some have experience from previous roles outside the BL, therefore treat as a new skill to the organisation. A8. No, but architected to not restrict infrastructure as code as a future capability A9.Nothing insurmountable A10. Yes resources will be made available as required A11.At this stage yes, the focus would be using github for centralised source code repository/version control - along with SAST through the use of GitHub Advanced Security. We would then intend to use Azure DevOps for running the build and release pipelines. Last Updated: <strong>2024-08-05T12:42:26.613225Z</strong>